Microsoft Helps to Promote Privacy With Award Sponsorship
The 2007 Privacy Enhancing Technologies workshop has recognised three teams of leading computer science researchers that have explored privacy issues inherent to the security of radio frequency identification devices, automated trust negotiation and complex graphs based on private social networks.
Â OTTAWA, Canada (rushprnews) 22 June 2007 â€” Leading academics from around the world will come together this week at the Privacy Enhancing Technologies (PET) workshop to discuss the latest advances in privacy and bring together perspectives on the issue from diverse fields including cryptography, law and economics.
PET was launched six years ago as a specialised conference focused on anonymous communication and has since expanded to cover a wide range of challenging technical problems that must be overcome to define and protect individualsâ€™ privacy.
George Danezis is post-doctoral researcher in Privacy Technology at the Katholieke Universiteit (KU) in Leuven, Belgium, says, â€œThe PET workshop, once more, will gather all people working to make IT compatible with our basic value of privacy. The associated WOTE event focuses exclusively on the hot area of secure electronic elections.â€
As a sponsor of PET workshop, Microsoft offers stipends to graduate students who want to attend the workshop but lack adequate funding. It also funds an annual â‚¬3,000 prize, in conjunction with the Office of the Information and Privacy Commissioner of Ontario, Canada, for the best paper in privacy technology research. The prize is presented annually to researchers who have made an outstanding contribution to the theory, design, implementation or deployment of privacy-enhancing technology. The winner is chosen by a committee of leading privacy researchers, with no involvement from Microsoft in the decision-making process.
Caspar Bowden, chief privacy advisor for Microsoft Europe, Middle East and Africa, says, â€œAny peer-reviewed paper published in the preceeding year is eligible for nomination for the PET Award. We wanted to support a prize that was judged by leading privacy technologists, for leading privacy technologies. Itâ€™s a great way for the best researchers from a variety of fields within privacy research to recognise and support the exceptional technical work of their peers.â€
“This yearâ€™s PET award finalists are representatives of the breadth of the privacy technology field, with the winner presenting an analysis of a radio frequency identification (RFID) scheme, and the runner-ups looking to protecting privacy in online social networking sites as well as trust negotiation using advanced cryptographic techniques,â€ Danezis says. â€œThese papers will be references for researchers over the next few years. They represent work that is both groundbreaking as well as the culmination of many years of research.”
Exposing the Security Issues of RFID
Students from Johns Hopkins University collaborated with researchers from RSA Laboratories to win this yearâ€™s PET award for a research programme that challenged the security and privacy issues of RFID.
Steve Bono, Matthew Green, Adam Stubblefield and Avi Rubin, students at Johns Hopkins University, and Ari Juels and Michael Szydlo, from RSA Laboratories, undertook a black-box cryptographic analysis of Texas Instrumentsâ€™ RFID Digital Signal Transponder (DST). DSTs and similar devices secure millions of automated petrol payment systems and car ignition keys.
To challenge the security of the transponder, the team reverse engineered the RFID application using experimental observation of responses from the DST to determine the functional details of the cipher underpinning the challenge-response protocol in the device. Noting that the key length for the DST is 40 bits, the research group set up 16 parallel field-programmable gate arrays that could crack the DST key in under an hour. With the key and serial number of a DST, radio frequency output could be simulated and an RFID reader spoofed. Proving its conclusion that cryptographic protection provided by a DST is relatively weak, the team purchased gasoline at a service station and started a car using simulated DST devices.
While the team used inexpensive, off-the-shelf equipment and had minimal radio frequency expertise, the impact of its work has been dramatic, causing RFID vendors to review the technology and putting RFID security and privacy issues in the public domain.
The Language of Trust
William Winsborough, a professor in the department of computer science at the University of Texas at San Antonio, together with Jiangtao Li and Ninghui Li, both at the Department of Computer Science at Purdue University, were also recognised at the awards for their work on automated trust negotiation (ATN). This is the process that allows two parties to exchange digitally signed credentials that contain attribute information to establish trust and make access control decisions.
To date, ATN development has been fragmented, with cryptographic credential schemes and associated protocols being established to resolve specific problems, such as the need to disclose more information, which is often sensitive, than is necessary to satisfy a particular requirement of negotiation. Challenging the fragmented nature of ATN, Winsborough and his team have developed a framework for negotiation in which diverse credential schemes and protocols can be combined, integrated and used as required. This over-arching solution includes a policy language that allows a negotiator to specify authorisation requirements that must be fulfilled by a counterparty if they are to receive information about credentials and attributes.
Working together, the framework and language support sophisticated privacy-protection techniques, for example, allowing two parties to know the outcome of an automated negotiation without disclosing detailed information. The Winsborough teamâ€™s work is already being applied to trust negotiation for relational database systems and web services, but it could also be extended to applications in digital identity management that require the highest level of privacy protection.
Protecting Privacy in Social Network Graphs
Philippe Golle at Palo Alto Research Centre and Keith Frikken at Miami University were noted in the PET awards for their work on protecting privacy while creating social network graphs. Their paper, â€œPrivate Social Network Analysis: How to Assemble Pieces of a Graph Privately,â€ sets out a theory of how to create large social network graphs that could be used in functions such as marketing, medicine or security while preserving individualsâ€™ privacy.
Initial graphs are created by connections in distributed systems, such as social networks, online communities and peer-to-peer networks. Knowledge of the graphs is distributed among a large number of people, each of whom knows only a small piece of the graph. Attempts to assemble the small pieces often fail, however, as individuals refuse to share their local knowledge of the graph.
To overcome these privacy concerns, Golle and Frikken propose the construction of a large graph in a way that hides correspondence between nodes and edges in the graph and the real life entities and relationships that they represent. Privacy threats posed by malicious nodes giving incorrect information so that they can later jeopardise the anonymity of others on the graph are restricted by unique protocols, fulfilling the vision of global social network graphs that could benefit world development without compromising privacy.